Thursday, June 9, 2011

Amazon Kindle Forensics

As technology becomes more ubiquitous, everyday objects are being replaced by their computer alternative. The way we relax, interact with media and contact friends has greatly expanded as large desktop computers are quickly being replaced with inexpensive, low power applications that are easily carried in our pockets or placed next to a cup of coffee on the living room table. Even specialized applications such as the Amazon Kindle, a device specifically designed by Lab126 for reading books, have additional features such as an MP3 player and Internet browsing capability. In the case of a criminal investigation, devices such as these serve as valuable sources of evidence. In this post, we take a detailed look at the hardware and software of a 3rd generation Kindle in order to reveal the wealth of information that even a specialized device could provide in a forensic examination.

The Blood and Guts

As seen above, the Kindle utilizes low energy consumption E Ink Pearl technology, interfaced through the use of a Epson EINK controller (1A), to present users with a crisp, clear screen for long hours of reading. The device is powered by a 3.7V 1750 mAh Lithium Polymer battery (1B) that is controlled by a Freescale MC13892 power management chip (1C) and lasts approximately three weeks to one month (depending on how often you turn pages and have the wireless/3G turned on). As with most mobile and embedded electronics, the Kindle utilizes the ARM-11 architecture through a Freescale i.MX353 532 MHz applications processor (1D), as well as Samsung DRAM (1E). Additionally, the Kindle houses a Wolfson Microelectronics WM8960G stereo codec (1F), 1W speakers (1G) and a headphone driver chip (1H) for audio purposes.

The Kindle 3 allows for Internet connections using the built in Atheros AR6102G wireless card (1I) (which supports 802.11bg and WEP, WPA and WPA2 encryption) and access to AT&T's 3G data network (called Whispernet by Amazon) using a AnyDATA DTP-600W modem (1J). Users browse and interact with web pages using the WebKit-based Internet browser. Just like any device seized in a forensic investigation, it should be treated like all other mobile devices with networking capabilities. The device should be stored in a shielded environment so that the device cannot access any network as this could cause changes such as overwriting metadata or connecting back to the owner in order that it can be disabled.

Getting into some GBs
The Kindle provides the user the ability to plug the device into a computer via a USB micro-B connector port (1K) to interact with the device. For storage, the Kindle has 4 GB of internal Samsung flash memory (1L) of which approximately 3.05 GB is visible and accessible for user content. The user content portion of the Kindle that automatically mounts as a regular USB storage can be imaged just like any other USB device. For our purposes, a combination of a write-blocker, the USB cable provided with the Kindle and the Linux command line tool dd were used to create a forensic image of the 3.05 GB storage portion of the Kindle.

The results of the dd image show that the drive is formatted as a mkdosfs\FAT32 file system.

Disk /dev/sdd: 3282 MB, 3282272256 bytes
4 heads, 16 sectors/track, 100167 cylinders
Units = cylinders of 64 * 512 = 32768 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

Device Boot Start End Blocks Id System
/dev/sdd1 1 100167 3205336 b W95 FAT32


The root of this mount point contain the following directories:
/audible - location of audible books
/documents - location of books, reading files, user notes and highlighted areas
/music - location of audio files that can be played using the experimental music player
/system - location for system specific files and user's settings
The Kindle supports the following formats: Kindle (AZW), TXT, PDF, AA, AAX, MP3, unprotected MOBI, PRC, HTML, DOC, DOCX, JPEG, GIF, PNG, BMP and RTF. Additionally, the Kindle can store any data just like a standard USB storage device.

Evidence in the user storage
Further investigation of the system folder reveals numerous files that could provide valuable evidence in a forensic investigation. Within /system, a JavaScript Object Notation file titled "collections.json" is automatically created by the Kindle. This file contains the list of user's collections (a way of organizing books on the system) and the files each collection holds. The collections are listed with a SHA-1 hash attached to each. Additionally, the system folder contains the "userannotlog" file which shows the title, position and time stamp information of the last book viewing.

Within the system folder, the "com.amazon.ebook.booklet.reader" folder contains the "reader.pref" file and "sidecar" folder. The "reader.pref" file contains similar information as the "userannotlog" file: last date the Kindle was used, dictionary preference and last book read. The "sidecar" folder holds Kindle buddy files: files that store data (often metadata) that are not supported by the source file format. Finally, the "Search Indexes" folder within the system directory contains numerous binaries files including the "Index.db" file. The majority of "Index.db" is unreadable, but at the end of the file are the names of files loaded onto the storage area. When a file is loaded onto the Kindle, a log of that file name is appended to "Index.db" and is not removed from the log even when the file is deleted. This means that files that have been deleted or removed from the Kindle still leave evidence on the device. It is unknown how many characters "Index.db" stores before it starts overwriting the earliest entries.

Beyond the user storage area
The rest of the 4 GB flash memory storage contains the Kindle operating system. In order to gain access to this part of the system without removing the flash memory from the board, a program call usbNetwork can be loaded onto the root of the user accessible mount. This program was a part of the collection of debugging commands used during product development and was made available in the Kindle's open source code. These commands are activated by turning debugging mode on: going to the home menu on the Kindle, pushing the delete key to open a search bar, typing ";debugOn" and pressing enter. Once activated, a list of commands, none of which are available on most consumer versions, are available to the software debugger. The only command left active on the consumer version of the Kindle 3 is the "~help" command which shows the following:


Some early version of the Kindle 3 were left with all the debugging commands still installed and many users jailbreak their Kindles and use the debugging mode to run other programs. A popular method of jailbreaking a Kindle will leave a folder called "usbnet" in the root directory of the user storage mount.

Once the usbNetwork program is installed on the Kindle, typing the commands ";debugOn" and "~usbNetwork" into the Kindle creates a USB network connection between the Kindle and a workstation using a Linux operating system (specific USB drivers are required on the Windows operating system) . Once connected, a telnet link between the workstation and the Kindle can be created:


This allows root access to the Kindle operating system even though the root password is unknown. This method of gaining access to the entire 4 GB of flash memory is not useful for a forensic investigator since installing the program will cause changes to the system. Fortunately, removal of the flash memory is relatively easy to perform and does not cause any damage to the device. Jailbroken and early releases of Kindles with debugging commands still active are even easier to image since commands are able to be sent to the Linux operating system on the Kindle. On these devices, turning debugging mode on and issuing the following command will create a forensic image of the entire Kindle device, including the operating system area:

~exec dd in=/ of=/mnt/us/fsdump.bin bs=1024"


The Kindle 3 runs on a lightweight distribution of the Linux kernel entitled "Linux kindle 2.6.26-rt-lab126." The Kindle uses the Das U-Boot bootloader to bootstrap its operation system into memory. The networking hack installs BusyBox v1.7.2 which provides tiny versions of many common UNIX utilities as small executables and is frequently referred to as the "Swiss Army Knife of Embedded Linux."

BusyBox builds are found on many small, embedded systems that require size-optimization due to limited resources. Within the Linux file system, numerous mount points are created:


The /proc/cpuinfo text file states that this version of the Kindle uses the ARMv6l (part of the current ARM11 family) processor with 6TEJ architecture and is built on the Amazon MX35 Luigi Board Revision 35020 (the Kindle 2 was built on the Mario board). Interestingly, after copying the /etc/passwd and /etc/shadow files from the Kindle Linux operating system, merging them with the unshadow tool and brute forcing them with Jack the Ripper, it was discovered that the password for the "framework" user on the Kindle 3 is "mario."

In addition to this system information, numerous files were found that contained valuable user data not available on the user storage mount. The file /var/local/browser/cookies stores a text log of all the Kindle WebKit browser cookies:


The file /var/log/wpa_supplicant.wlan0.log lists the device's wireless connection history including SSID names and timestamps. The location /opt/amazon/resolution/ stores the GIF files used for the Kindle screen saver. Finally, the file /opt/amazon/ebook/prefs/search_prefs lists the users preferred search engines (Google and Wikipedia are the system default).

Just another device to add to the evidence list
Just like any other device, the Kindle is a wealth of forensic information (and a good place to hide evidence). The user storage mount on the Kindle contained valuable time stamps, 3.05 GB of storage area, and a logging file listing all files that had been uploaded to the device. Even more evidence could be collected in the operating system area of the flash storage device where browser cookies, wireless connection history and search engine preferences were found. This investigation showed that even small, specifically designed devices like the Kindle can hold valuable evidence for a forensic investigator. As the amount of these types of devices increases, detailed documentation on each is essential in order to perform timely forensic investigations. So I hope my investigation is valuable to someone out there!

5 comments:

  1. This method of access to the entire 4 gigabytes flash memory is useful for forensic investigator, because the installation program will cause changes in the system.

    computer hacking forensic investigator

    ReplyDelete
  2. Thanks for the post, this helped a lot. I'm looking to disable the browser on my kindle 3 so I dont' have to worry about what it's used for by my kids, friends, etc. I've jail broken it already and I can turn on debugging mode but I'm not sure how to then disable/delete the browser. Any ideas? Thanks again.

    ReplyDelete
  3. Fantastic post, very interesting read. One point however BusyBox is not native to the Kindle, it is installed during the USB Networking Hack.

    Keep up the great work! :)

    ReplyDelete
    Replies
    1. Excellent point! I will update accordingly.

      Delete
  4. Might want to look at using the Freescale ATK software to obtain a copy of the flash without having to load software onto the flash.
    http://wiki.mobileread.com/wiki/K3noobdebrickatk/

    Also, how would you deal with the device if it were locked? If I remember correctly, the device will not mount if the password has not been entered.

    ReplyDelete